For security and management reasons, the reachability among hosts that are physically interconnected is often limited by Access Control Lists (ACLs), i.e., packet filters, configured on routers and firewalls. An ACL consists of a list of rules, where each rule has a predicate over some packet header fields and a decision (i.e., action) to be taken for the packets that match the predicate. The decision of a rule is typically accept (i.e., permit) or discard (i.e., deny). As a packet, may match two rules in an ACL and the two rules array have different decisions, the decision for a packet is the decision of the first, (i.e., highest priority) rule that the packets matches. Table 1 shows an example ACL.
Correctly configuring ACLs is critical as it controls the reachability of the hosts in a network. However, ACLs are difficult, to configure correctly. First, the rules in an ACL are logically entangled because of conflicts among rules and the resulting order sensitivity. Second, an ACL may consist of a large number (e.g., thousands) of rules. Third, an ACL often consists of legacy rules written by different administrators, at different times, and for different reasons. Maintaining a large number of legacy rules is difficult. Last but not least, the ACLs deployed on a network are often maintained by different administrators, and the lack of enough communication among them may contribute to the errors in individual ACLs. It has been observed that the ACLs on the Internet often have errors. An error in an ACL either creates security holes that will allow malicious traffic to sneak into a private network or blocks legitimate traffic and disrupts normal businesses, which in turn could lead to irreparable, if not tragic, consequences.
This section provides background information related to the present disclosure which is not necessarily prior art.